Clay Shirky's Writings About the Internet
Economics and Culture, Media and Community,
Open Source

Enter the Decentralized Zone
Network Security will be a joke until IT departments recognize users' power.
05/29/2001
Digital security is a trade-off. If securing digital data were the only concern
a business had, users would have no control over their own computing environment
at all-the Web would be forbidden territory; every disk drive would be welded shut.
That doesn't happen, of course, because workers also need the flexibility to
communicate with one another and with the outside world.
The current compromise between security and flexibility is a sort of intranet-plus-
firewall sandbox, where the IT department sets the security policies that workers
live within. This allows workers a measure of freedom and flexibility while giving
their companies heightened security.
That was the idea, anyway. In practice, the sandbox model is broken. Some of the
problem is technological, of course, but most of the problem is human. The model
is broken because the IT department isn't rewarded for helping workers do new things,
but for keeping existing things from breaking. Workers who want to do new things are
slowly taking control of networking, and this movement toward decentralized control
cannot be reversed.
The most obvious evidence of the gap between the workers' view of the world and the
IT department's is in the proliferation of email viruses. When faced with the I Love
You virus and its cousins, the information technology department lectures users against
opening attachments. Making such an absurd suggestion only underlines how out of touch
the IT group is: If you're not going to open attachments, you may as well not show up
for work.
Email viruses are plaguing the workplace because users must open attachments to get
their jobs done- the IT department has not given them another way to exchange files.
For all the talk of intranets and extranets, the only simple, general-purpose tool for
moving files between users, especially users outside the corporation, is email. Faced
with an IT department that thinks not opening attachments is a reasonable option, end
users have done the only sensible thing: ignore the IT department.
Email was just the beginning. The Web has created an ever-widening hole in the sandbox.
Once firewalls were opened up to the Web, other kinds of services like streaming media
began arriving through the same hole, called port 80. Now that workers have won access
to the Web through port 80, it has become the front door to a whole host of services,
including file sharing.
And now there's ICQ. At least the IT folks knew the Web was coming-in many cases,
they even installed the browsers themselves. ICQ (and its instant messaging brethren)
is something else entirely-the first widely adopted piece of business software that no
CTO evaluated and no administrator installed. Any worker who would ever have gone to the
boss and asked for something that allowed them to trade real-time messages with anyone
on the Net would have been turned down flat. So they didn't ask, they just did it, and
now it can't be undone. Shutting off instant messaging is not an option.
The flood is coming.
And those three holes- email for file transfer, port 80 drilled through the firewall,
and business applications that workers can download and install themselves-are still
only cracks in the dike. The real flood is coming, with companies such as Groove Networks,
Roku Technologies, and Aimster lining up to offer workers groupware solutions that don't
require centralized servers, and don't make users ask the IT department for either help
or permission to set them up.
The IT workers of any organization larger than 50 people are now in an impossible
situation: They are rewarded for negative events-no crashes or breeches-even as workers
are inexorably eroding their ability to build or manage a corporate sandbox. The obvious
parallel here is with the PC itself; 20 years ago, the mainframe guys laughed at the
toy computers workers were bringing into the workplace because they knew that computation
was too complex to be handled by anyone other than a centralized group of trained
professionals. Today, we take it for granted that workers can manage their own computers.
But we still regard network access and configuration as something that needs to be
centrally managed by trained professionals, even as workers take network configuration
under their control. There is no one right answer-digital security is a trade-off. But
no solution that requires centralized control over what network users do will succeed.
It's too early to know what the new compromise between security and flexibility will
look like, but it's not too early to know that the old compromise is over.